Tag Archives: Boston Public Library Intelligence Bobblehead

On July 14, by a consistent voice vote, the House Permanent Select Committee on Intelligence announced the Intelligence Authorization Act for Fiscal Year 2018 (H.R. 3180) to the full House of Representatives.

As indicated by the advisory group, this enactment gives the Intelligence Community (IC) the vital assets and specialists to guarantee they stay fit for ensuring and shielding the United States.

The bill underpins basic national security programs, especially those concentrated on countering psychological oppression and cyberattacks. The aggregate financing levels approved by the bill are somewhat underneath the president’s financial plan, adjusting monetary train and national security. This enactment:

Centers the Defense Intelligence Agency (DIA) on center missions by dispensing with a few DIA segments and works or realigning them to other IC components;

Protects against outside dangers to races by requiring the Director of National Intelligence to electronically distribute an unclassified consultative give an account of remote counterintelligence and cybersecurity dangers to decision battles for government workplaces;

Reinforces insight oversight by guaranteeing that IC contractual workers can meet uninhibitedly with Congress; and

Enhances IC responsibility to Congress by requiring the IC to give gives an account of:

Examinations of breaks of arranged data;

Trusted status handling courses of events;

The procedure for checking on data about PC vulnerabilities for maintenance or potential discharge; and

The Act rolls out no improvements to any reconnaissance specialists, including those set to terminate in the not so distant future, which will be tended to in isolated enactment.

Director Devin Nunes stated: “when our country confronts significant national security challenges from fear based oppressor bunches and in addition country expresses, it’s vital that the Intelligence Community get every one of the assets it needs to carry out its employment while Congress has the vital instruments to complete thorough oversight of its work. This bill will guarantee that our insight experts have the greatest shot of achievement in ruining outside dangers.”

Positioning Member Adam Schiff stated: “Our country confronts a various and developing exhibit of dangers, and it is more imperative than any other time in recent memory that we give the knowledge offices the assets, experts and capacities they have to secure our country, while additionally guaranteeing we ensure our protection and common freedoms. This bill is the result of months of oversight and examination and a bipartisan sense of duty regarding the country’s security. I anticipate taking the bill up on the House floor and to its inevitable entry.”

Damaging cyber attacks against the U.S. energy infrastructure do not currently pose a significant threat according to an intelligence assessment released by the Department of Homeland Security and Industrial Control Systems Computer Emergency Response Team (ICS-CERT) in January. While cyber actors backed by a number of nation-states are actively “targeting US energy sector enterprise networks,” these activities are focused primarily on supporting cyber espionage activities to acquire and maintain “persistent access to facilitate the introduction of malware” in the event of “hostilities with the United States.”

The restricted DHS assessment titled “Damaging Cyber Attacks Possible but Not Likely Against the US Energy Sector” was obtained by Public Intelligence and reveals that at least seventeen intrusions against the U.S. energy sector were traced back to APT actors in FY 2014. The attacks never resulted in damage or disruption, but were instead focused on “data theft from enterprise networks” and “accessing and maintaining presence on ICS” networks and systems. One example cited in the assessment is a piece of malware called Havex that was “likely developed by Russian state-sponsored cyber actors.” The existence of the malware was first disclosed in a June 2014 blog post by Finnish security firm F-Secure which described how the remote access tool (RAT) was being used as part of an industrial espionage campaign. DHS states that this campaign dates back to 2011 and that while the “main function is to gather information,” Havex can also run “specialized plug-ins for additional capabilities.”

The assessment also mentions an attack on the Ukrainian energy sector in December 2015 that resulted in at least 80,000 customers losing power for up to six hours. At the time the assessment was written, ICS-CERT stated that they were “unable to confirm” the event was triggered by cyber means, but that a sample of the malware provided by the Ukranian Government had the capability to “enable remote access and delete computer content, including system drives.” While DHS does not attribute the attack to any specific cyber actor, the assessment states that the attack is “consistent with our understanding of Moscow’s capability and intent, including observations of cyber operations during regional tensions.”

A month after the DHS assessment was published, ICS-CERT released an alert describing the attack in much greater detail and relaying the findings of a team that included representatives of the U.S. Computer Emergency Readiness Team (US-CERT), Department of Energy, FBI and North American Electric Reliability Corporation. The alert increased the number of those affected by the attack to more than 225,000 customers, noting that the attack was “reportedly synchronized and coordinated, probably following extensive reconnaissance of the victim networks.” The attackers reportedly “acquired legitimate credentials and leveraged valid remote access pathways” to cause 50 regional substations to experience “malicious remote operation of their breakers conducted by multiple external humans.”

ICS-CERT also released a restricted version of the alert marked For Official Use Only that included non-public details and analysis of the vulnerabilities exposed by the attack. An updated version of the restricted alert from March was also obtained by Public Intelligence and states that “critical infrastructure [industrial control system or ICS] networks, across multiple sectors, are vulnerable to similar attacks.” ICS-CERT argues that the “incident highlights the urgent need for critical infrastructure owners and operators across all sectors to implement enhanced cyber measures that reduce risks” that could result from the use of a number of different techniques that were employed by the attackers, including:

• Theft of legitimate user credentials to enable access masquerading as approved users,
• Leveraging legitimate remote access pathways (VPNs),
• The remote operation of human-machine interface (HMI) via company installed remote access software (such as RDP, TeamViewer or rlogin)
• The use of destructive malware such as KillDisk to disable industrial control systems (ICSs) and corporate network systems
• Firmware overwrites that disable/destroy field equipment
• Unauthorized scheduled disconnects of uninterruptable power supplies (UPS) to devices to deny their availability
• The delivery of malware via spear-phishing emails and the use of malicious Microsoft Office attachments
• Use of Telephone Denial of Service (TDoS) to disrupt operations and restoration.

During the attacks, “remote human operators” accessed the workstations of dispatchers at the facilities using legitimately installed tools for remote access. They used this access to trip the breakers, change the passwords for key systems, corrupt firmware of serial-to-ethernet converters used for substation communication and leverage backup battery systems to trigger shutdowns of connected servers and devices. In one instance, the attackers used an uninterruptible power supply (UPS) to target an internal telecommunications server which cut off “all internal communications with regional offices and distribution substations.”

Despite the risks demonstrated in the Ukrainian attack, the DHS assessment from January tries to downplay the threat posed by state actors, noting that 63 percent of malicious cyber activity in FY 2014 was “unattributed, low-level activity” related to cybercrime using methods such as ransomware and denial-of-service attacks. The assessment’s authors also include a section criticizing the media’s over-hyping of cyber attacks and cyber warfare as leading to “misperceptions about the cyber threat to the US energy sector.” The term “cyber attack” is often used by the media and private sector to refer to incidents and activities that are not necessarily intended to “cause denial, disruption, destruction, or other negative effects” which would better be described as “cyber espionage, and even low-level, untargeted incidents of cybercrime.” The assessment even speculates that overuse of the term could lead to “alarm fatigue” which could lead to less reporting of incidents and longer response times.